Fix admin seed, open username/email changes, invite refresh & revocation

- Seed checks for any admin role instead of username='admin'
- Username change open to all registered users (was admin-only)
- New change-email endpoint requiring password confirmation
- Settings page: inline editing for username and email
- Invitations: await refresh after generate so list updates visibly
- Invitations: revoke button to delete unused invites (admin only)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/server/src/routes/invites.ts

@@ -141,4 +141,26 @@ invitesRouter.get('/', authMiddleware, requireAdmin, async (c) => {
   return c.json({ invitations: enriched });
 });
 
+invitesRouter.delete('/:id', authMiddleware, requireAdmin, async (c) => {
+  const inviteId = c.req.param('id');
+
+  const [invite] = await db
+    .select({ id: invitations.id, usedBy: invitations.usedBy })
+    .from(invitations)
+    .where(eq(invitations.id, inviteId))
+    .limit(1);
+
+  if (!invite) {
+    return c.json({ error: 'Invitation not found' }, 404);
+  }
+
+  if (invite.usedBy) {
+    return c.json({ error: 'Cannot revoke a used invitation' }, 400);
+  }
+
+  await db.delete(invitations).where(eq(invitations.id, inviteId));
+
+  return c.json({ deleted: true });
+});
+
 export { invitesRouter };